This repository has been archived by the owner on May 22, 2024. It is now read-only.
CVE-2024-24786 (Medium) detected in google.golang.org/protobuf-v1.28.0 #142
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
CVE-2024-24786 - Medium Severity Vulnerability
Go support for Google's protocol buffers
Library home page: https://proxy.golang.org/google.golang.org/protobuf/@v/v1.28.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/google.golang.org/protobuf/@v/v1.28.0.mod
Dependency Hierarchy:
Found in base branch: improbable
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Publish Date: 2024-03-05
URL: CVE-2024-24786
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2024-2611
Release Date: 2024-03-05
Fix Resolution: v1.33.0
The text was updated successfully, but these errors were encountered: